Chinese Hackers Exploited Critical Security Vulnerability in Sophos Firewall

A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos’ firewall product that came to public attention earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack.


Volexity said in a report, “the attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer’s staff… These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.”


The zero-day flaw is tracked as CVE-2022-1040 (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be weaponised to execute arbitrary code remotely. The flaw affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.


Volexity issued a patch for the flaw on 25th March 2022. They noted that the flaw was abused to “target a small set of specific organisations primarily in the South Asia region” and that it had notified the affected entities directly.


According to the cybersecurity firm, evidence of exploitation of the flaw commenced on 5th March 2022, when it detected anomalous network activity origionating from an unnamed customer’s Sophos Firewall running the then up-to-date version. Nearly three weeks later the vulnerability was disclosed to the public.


Volexity said, “the attacker was using access to the firewall to conduct man-in-the-middle (MitM) attacks… The attacker used data collected from these MitM attacks to compromise additional systems outside of the network where the firewall resided.”


The infection sequence post the firewall breach further entailed backdooring a legitimate component of the security software with the Behinder web shell that could be remotely accessed from any URL.


The Behinder web shell was also leveraged earlier this month by Chinese AP ..

Support the originator by clicking the read the rest link below.